Why you need to be more concerned about email security - and what you can do about it.
Since revelations that the U.S. government is collecting massive amounts of data from electronic communications, the notion of online privacy has taken a big hit. Yet the loss of sensitive patient data is not merely a question of government snooping or corporate espionage. Email poses the highest risk for accidental data exposure, breaches of privacy or non-compliance with data protection regulations.
Your email is an open book. Almost all email traffic traverses the public internet unencrypted in plain text format. It’s like sending a postcard in the mail. Anyone that stumbles across it, either maliciously or coincidentally, can read the full content without you ever knowing. You might be wondering who could be interested in reading your email.
What about your ISP or online mail service provider? Google is definitely interested. In a recent court filing, Google acknowledged that Gmail users have no “reasonable expectation” of privacy or confidentiality. In its motion to dismiss a May 2013 class action lawsuit against it, Google stated:
“All users of email must necessarily expect that their emails will be subject to automated processing. Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their emails are processed by the recipient’s [email provider] in the course of delivery. Indeed, a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”
That’s a “stunning admission,” according to the Consumer Watchdog advocacy group, which recommends that people concerned with email privacy shouldn’t use Gmail. Unfortunately, that’s no solution. It’s about as practical as recommending people not use email at all. Even if you don’t use Gmail, undoubtedly you have to correspond with patients, partners or other stakeholders who do.
But the risks with email are not limited to intentional snooping by the likes of Google or the NSA. How many times have you accidentally “replied all” to an email intended for one recipient? Or accidentally sent an email to the wrong individual thanks to auto-complete in your email client? This happens all the time. And the consequences of sending sensitive information to the wrong person could be devastating, ranging from publicly acknowledging a leak to fines, loss of trust, reputation damage and worse.
Then there’s the latest email attacks to consider such as phishing, which continue to evolve. Phishing is the act of attempting to acquire information such as usernames, passwords or credit card details by masquerading as a trustworthy email.
Up next: The steps you need to take
Phishing is often successful because of a technique known as email address spoofing, where the attackers use addresses in the “from” field that mimic legitimate accounts such as a bank, or even one using your company’s domain name to make the email appear to come from an internal sender like one of your staff.
The latest trend is to target specific individuals or groups within organizations in a more personal and devious manner - now called spearphishing. Spearphishing is a common tactic of Advanced Persistent Threat campaigns, which aim to gain entry to the target organization’s network and obtain confidential information.
If you want to shoot for compliance, here are three simple steps: